diff --git a/README.md b/README.md
index f8c0704d21..e7f3365fa3 100644
--- a/README.md
+++ b/README.md
@@ -209,6 +209,7 @@ Future supported clouds: AWS
 ## Support Matrix
 Cloud | Mint | Mint + Remove Admin Cred | Passthrough | Manual | Token
 --- | --- | --- | --- | --- | ---
+AlibabaCloud | N | N | N | Y | N
 AWS | Y | 4.4+ | Y | 4.3+ | 4.6+ (expected)
 Azure | Y | N | Y | Y | N
 GCP | Y | 4.7+ | Y | Y | N
diff --git a/pkg/apis/cloudcredential/v1/register.go b/pkg/apis/cloudcredential/v1/register.go
index 4f135da68a..7a01044f65 100644
--- a/pkg/apis/cloudcredential/v1/register.go
+++ b/pkg/apis/cloudcredential/v1/register.go
@@ -54,6 +54,7 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&CredentialsRequest{}, &CredentialsRequestList{},
+		&AlibabaCloudProviderStatus{}, &AlibabaCloudProviderSpec{},
 		&AWSProviderStatus{}, &AWSProviderSpec{},
 		&AzureProviderStatus{}, &AzureProviderSpec{},
 		&GCPProviderStatus{}, &GCPProviderSpec{},
diff --git a/pkg/apis/cloudcredential/v1/types_alibabacloud.go b/pkg/apis/cloudcredential/v1/types_alibabacloud.go
new file mode 100644
index 0000000000..e6ddcb06a5
--- /dev/null
+++ b/pkg/apis/cloudcredential/v1/types_alibabacloud.go
@@ -0,0 +1,56 @@
+/*
+Copyright 2021 The OpenShift Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// TODO: these types should eventually be broken out, along with the actuator, to a separate repo.
+
+// AlibabaCloudProviderSpec is the specification of the credentials request in Alibaba Cloud.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type AlibabaCloudProviderSpec struct {
+	metav1.TypeMeta `json:",inline"`
+	Statement       []Entry `json:"statement"`
+}
+
+// Entry models an Alibaba Cloud policy statement entry.
+type Entry struct {
+	// Effect indicates if this policy statement is to Allow or Deny.
+	Effect string `json:"effect"`
+	// Action describes the particular Alibaba Cloud service actions that should be allowed or denied. (i.e. ecs:StartInstances, actiontrail:LookupEvents)
+	Action []string `json:"action"`
+	// Resource specifies the object(s) this statement should apply to. (or "*" for all)
+	Resource string `json:"resource"`
+	// Condition specifies under which condition Entry will apply
+	Condition Condition `json:"condition,omitempty"`
+}
+
+// Condition - map of condition types, with associated key - value mapping
+// +k8s:deepcopy-gen=false
+type Condition map[string]ConditionKeyValue
+
+// ConditionKeyValue - mapping of values for the chosen type
+// +k8s:deepcopy-gen=false
+type ConditionKeyValue map[string]interface{}
+
+// AlibabaCloudProviderStatus contains the status of the Alibaba Cloud credentials request.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type AlibabaCloudProviderStatus struct {
+	metav1.TypeMeta `json:",inline"`
+}
diff --git a/pkg/apis/cloudcredential/v1/zz_generated.deepcopy.go b/pkg/apis/cloudcredential/v1/zz_generated.deepcopy.go
index 17c9c705a9..464dbb17c7 100644
--- a/pkg/apis/cloudcredential/v1/zz_generated.deepcopy.go
+++ b/pkg/apis/cloudcredential/v1/zz_generated.deepcopy.go
@@ -8,6 +8,113 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AlibabaCloudProviderSpec) DeepCopyInto(out *AlibabaCloudProviderSpec) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	if in.Statement != nil {
+		in, out := &in.Statement, &out.Statement
+		*out = make([]Entry, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlibabaCloudProviderSpec.
+func (in *AlibabaCloudProviderSpec) DeepCopy() *AlibabaCloudProviderSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(AlibabaCloudProviderSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *AlibabaCloudProviderSpec) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AlibabaCloudProviderStatus) DeepCopyInto(out *AlibabaCloudProviderStatus) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlibabaCloudProviderStatus.
+func (in *AlibabaCloudProviderStatus) DeepCopy() *AlibabaCloudProviderStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(AlibabaCloudProviderStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *AlibabaCloudProviderStatus) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Entry) DeepCopyInto(out *Entry) {
+	*out = *in
+	if in.Action != nil {
+		in, out := &in.Action, &out.Action
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	in.Condition.DeepCopyInto(&out.Condition)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Entry.
+func (in *Entry) DeepCopy() *Entry {
+	if in == nil {
+		return nil
+	}
+	out := new(Entry)
+	in.DeepCopyInto(out)
+	return out
+}
+
+func (in *Condition) DeepCopy() *Condition {
+	if in == nil {
+		return nil
+	}
+	out := new(Condition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is a deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Condition) DeepCopyInto(out *Condition) {
+	if *in == nil {
+		return
+	}
+
+	*out = make(Condition, len(*in))
+	tgt := *out
+
+	for key, val := range *in {
+		if val != nil {
+			tgt[key] = make(ConditionKeyValue, len(val))
+			for subKey, subVal := range val {
+				tgt[key][subKey] = copyStringOrStringSlice(subVal)
+			}
+		}
+	}
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AWSProviderSpec) DeepCopyInto(out *AWSProviderSpec) {
 	*out = *in